在grafana的主配置文件grafana.ini中开启LDAP认证
注意:grafana有两个地方需要指定(/etc/grafana/grafana.ini和/usr/share/grafana/conf/defaults.ini)
[auth.ldap] enabled = true config_file = /etc/grafana/ldap.toml allow_sign_up = true
config_file指定grafana的ldap配置文件ldap.toml的具体位置
ldap.toml配置文件的内容如下:
[[servers]] host = "10.2.3.147" port = 389 use_ssl = true start_tls = true ssl_skip_verify = true bind_dn = "cn=Manager,dc=baidu,dc=com" bind_password = '123qweasdzxc' search_filter = "(cn=%s)" search_base_dns = ["ou=People,dc=baidu,dc=com"] #这个是LDAP里存放所有用户的 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))" group_search_base_dns = ["ou=Group,dc=baidu,dc=com"] #这个是LDAP的组 [servers.attributes] name = "displayName" surname = "sn" username = "cn" member_of = "cn" email = "mail" [[servers.group_mappings]] #这个就表示LDAP里为yunwei组,映射到grafana里的权限是Viewer权限 group_dn = "yunwei" org_role = "Viewer" [[servers.group_mappings]] #这个就表示LDAP里的dev组,映射到grafana里的权限是Admin权限 group_dn = "dev" org_role = "Admin"
重启grafana
systemctl restart grafana-server
参考文档
https://blog.frognew.com/2017/07/config-grafana-with-ldap.html